OAuth

Todo

Docstrings (module, models, provider)

Models

class indico.modules.oauth.models.applications.OAuthApplication(**kwargs)

Bases: sqlalchemy.ext.declarative.api.Model

OAuth applications registered in Indico.

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

client_id

the OAuth client_id

client_secret

the OAuth client_secret

client_type
default_redirect_uri
default_scopes

the OAuth default scopes the application may request access to

description

human readable description

id

the unique id of the application

is_enabled

whether the application is enabled or disabled

is_trusted

whether the application can access user data without asking for permission

locator
name

human readable name

redirect_uris

the OAuth absolute URIs that a application may use to redirect to after authorization

reset_client_secret()
system_app_type

the type of system app (if any). system apps cannot be deleted

validate_redirect_uri(redirect_uri)

Called by flask-oauthlib to validate the redirect_uri.

Uses a logic similar to the one at GitHub, i.e. protocol and host/port must match exactly and if there is a path in the whitelisted URL, the path of the redirect_uri must start with that path.

class indico.modules.oauth.models.applications.SystemAppType

Bases: int, indico.util.struct.enum.IndicoEnum

checkin = 1
default_data
enforced_data
flower = 2
none = 0
class indico.modules.oauth.models.tokens.OAuthGrant(client_id, code, redirect_uri, user, scopes, expires)

Bases: object

OAuth grant token.

delete()
classmethod get(client_id, code)
key
classmethod make_key(client_id, code)
save()
ttl
class indico.modules.oauth.models.tokens.OAuthToken(**kwargs)

Bases: sqlalchemy.ext.declarative.api.Model

OAuth tokens.

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

access_token

an unguessable unique string of characters

application

application authorized by this token

application_id

the identifier of the linked application

expires
id

the unique identifier of the token

last_used_dt

the last time the token was used by the application

locator
scopes

The set of scopes the linked application has access to.

type
user

the user who owns this token

user_id

the identifier of the linked user

Utilities

exception indico.modules.oauth.provider.DisabledClientIdError(description=None, uri=None, state=None, status_code=None, request=None)

Bases: oauthlib.oauth2.rfc6749.errors.FatalClientError

description: A human-readable ASCII [USASCII] text providing
additional information, used to assist the client developer in understanding the error that occurred. Values for the “error_description” parameter MUST NOT include characters outside the set x20-21 / x23-5B / x5D-7E.
uri: A URI identifying a human-readable web page with information
about the error, used to provide the client developer with additional information about the error. Values for the “error_uri” parameter MUST conform to the URI- Reference syntax, and thus MUST NOT include characters outside the set x21 / x23-5B / x5D-7E.

state: A CSRF protection value received from the client.

request: Oauthlib Request object

error = u'application_disabled_by_admin'
indico.modules.oauth.provider.load_client(client_id)
indico.modules.oauth.provider.load_grant(client_id, code)
indico.modules.oauth.provider.load_token(access_token, refresh_token=None)
indico.modules.oauth.provider.save_grant(client_id, code, request, *args, **kwargs)
indico.modules.oauth.provider.save_token(token_data, request, *args, **kwargs)